The point of canonicalizing was to impose an order on the attributes.
For your part B, XPath says that attribute order is application dependent.
Well, the DSig Xpath transform is an application of Xpath, and the defined
order is c14n order. An application that conforms to dsig MUST conform to
dsig's usage of xpath.
For your part A, the same argument applies. Regardless of the processor the
application intends to use, the processor used for the Xpath transform MUST
supply the attributes to the XPath expression evaluator in the c14n order.
Furthermore, the Xpath transform output function must not modify that order
when it writes out a text rendering of the transformed document.
So, yes, there would be the problems you specified except that we wrote this
section to solve those problems. It means that you can't use any old
processor you like to implement xpath transforms. You MUST use something
that causes the c14n view of the document to be fed directly to the xpath
evaluator.
John Boyer
Software Development Manager
UWI.Com -- The Internet Forms Company
-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of TAMURA Kent
Sent: Thursday, January 13, 2000 11:35 PM
To: w3c-ietf-xmldsig@w3.org
Subject: XPath transform
http://www.w3.org/TR/2000/WD-xmldsig-core-20000104#sec-XPath
> The XPath transform applies the W3C XML canonicalization
> [XML-C14N] to the input resource. This ensures all entity
> reference substitutions and attribute normalizations are
> performed in a manner consistent with a validating XML
> processor. Linefeeds are normalized, and CDATA sections are
> eliminated. The types of quotes around attributes are
> normalized, and the order of attributes is defined. Namespace
> attributes are created in descendant elements that use
> namespace definitions. All of these modifications are necessary
> to achieve a consistent interpretation of the XPath expression
> and a consistent output of the XPath transform.
If the XML-C14N is applied to the input before the XPath
processing, the attribute order is not constant in the result
node-set.
The attribute order get unsettled when:
A) An XML processor parses the document, or
B) An XPath processor collects attributes in an element (An
XPath processor may reorder attributes because the attribute
order is implementation-dependent accoding to XPath 1.0
Recommendation)
Applying the XML-C14N might avoid A (if an XML processor does
not used between the XML-C14N and the XPath) and never avoid B.
> The result of the XPath is a string, boolean, number, or
> node-set. If the result of the XPath expression is a string,
> then the string is the output of the XPath transform.
How to calculate a digest value of the result string? That is,
what character encoding is used to convert the result string to
an octet sequence?
--
TAMURA Kent @ Tokyo Research Laboratory, IBM